Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-440

Generated CA missing CN and including unnecessary keys


    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 4.12.0
    • 4.12.0
    • OLM
    • None
    • Anarchy 235, Bulbasaur
    • 2
    • Rejected
    • False
    • Hide



      Description of problem:

      Recently during an audit on a user's cluster, it was discovered that
      OLM's certificate generation functionality has a few minor shortcomings.

      1. The generated CA and server cert do not include a common name,
        which causes some tooling to have trouble tracing the cert chain.
      2. The generated CA and server cert include unnecessary key usages,
        which means those certificates can be used for more than their
        intended purposes.

      How reproducible: Always

      jlanford@redhat.com could you please double check what I've put below? QE is asking for a bug ticket for this fix (makes sense as it helps them verify everything is correct and gives us traceability)

      Steps to Reproduce:

      oc get secret -n openshift-operator-lifecycle-manager packageserver-service-cert -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text

      Actual results:

      • Common Name not present in certificate data
      • X509v3 extensions looks include:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign
            X509v3 Extended Key Usage: 
               TLS Web Client Authentication, TLS Web Server Authentication

      Expected results:

      • Common Name must be present in certificate
      • X509v3 extensions should NOT include Digital Signature under Key Usage
      • X509v3 extensions should NOT include Extended Key Usage (other than *TLS Web Server Authentication*)

            pegoncal@redhat.com Per Goncalves da Silva
            pegoncal@redhat.com Per Goncalves da Silva
            bruno andrade bruno andrade
            0 Vote for this issue
            6 Start watching this issue